fail2ban太慢,攻击后禁止

fail2ban太慢,攻击后禁止

我们的 VoIP 服务器(freeswitch)遭受了“注册”攻击。
在日志中它看起来像这样:

2019-04-25 14:35:16.137965 [WARNING] sofia_reg.c:1743 SIP auth failure (REGISTER) on sofia profile 'internal' for [[email protected]] from ip 77.247.108.59

为此,我们有 Fail2Ban,它应该在 10 次尝试后阻止该 IP。但这行不通。

Fail2Ban 在日志文件中写入许多“找到的”条目。在数千个条目和由于 Fail2Ban 而导致服务器缓慢之后,最后一个条目是“Ban [ip]”:

2019-04-25 14:37:18,961 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:18,994 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:19,033 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:19,068 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:19,114 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:19,152 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,192 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,232 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,268 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,302 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,345 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,384 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,426 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:20,087 fail2ban.actions        [2167]: NOTICE  [freeswitch] Ban 77.247.108.59

这是 Fail2Ban 失败还是我配置错误?

监狱本地:

   [DEFAULT]
   ignoreip = [censored]
   ignorecommand = /usr/bin/php /etc/fail2ban/ignorecommands/freeswitch/check.php <ip>
   bantime  = 86400
   findtime = 3600
   maxretry = 10
   backend = auto
   usedns = warn
   banaction = iptables-multiport
   mta = sendmail
   protocol = tcp
   chain = INPUT
   action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
   action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
   action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
   action = %(action_)s

监狱.d / freeswitch.local:

[freeswitch]
enabled = true
ignoreip = [censored]
ignorecommand = /usr/bin/php /etc/fail2ban/ignorecommands/freeswitch/check.php <ip>
maxretry = 10
findtime = 3600
bantime = 3600
port     = 5060,5061,5080,5081
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/freeswitch/freeswitch.log

过滤器.d/freeswitch.conf

[Definition]
failregex = \[WARNING\] sofia_reg\.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
            \[WARNING\] sofia_reg\.c:\d+ SIP auth challenge \(INVITE\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
            \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
            \"FAIL2BAN_HOST=<HOST>\"
            IP <HOST> Rejected by acl

Debian 9 Fail2Ban v0.10.5.dev1

相关内容